VENOMOUS#HELPER phishing campaign using RMM tools
Campaign
Summary
Hide ▲
Show ▼
An active VENOMOUS#HELPER phishing campaign is using legitimate RMM software to establish persistent remote access to compromised hosts, putting over 80 organizations at risk. The operation has been active since at least April 2025 and is concentrated mostly in the U.S. It uses an impersonation lure tied to the U.S. Social Security Administration (SSA) and delivers SimpleHelp and ConnectWise ScreenConnect as dual access channels. The fallback setup matters because one remote-access path can remain available even after the other is detected or blocked.
Related Happenings
2025 Rise in legitimate-access intrusions across enterprise sectors
Target Trend
First: 01.04.2026 17:05
Last: 01.04.2026 17:05
Sources 1
How related:
legitimate Remote Monitoring and Management (RMM) software as a way to establish persistent remote access to compromised hosts.
About this happening:
**Legitimate access abuse** is now a leading intrusion pattern across **2025** investigations, increasing the risk of stealthy compromise across **manufacturing, healthcare, MSPs,...
2025 Rise in legitimate-access intrusions across enterprise sectors
Target TrendHow related: legitimate Remote Monitoring and Management (RMM) software as a way to establish persistent remote access to compromised hosts.
About this happening: **Legitimate access abuse** is now a leading intrusion pattern across **2025** investigations, increasing the risk of stealthy compromise across **manufacturing, healthcare, MSPs,...
Google Ads tax-search ScreenConnect malvertising campaign
Campaign
First: 24.03.2026 19:05
Last: 24.03.2026 19:05
Sources 1
About this happening:
A **malvertising campaign** active since **January 2026** is using **Google Ads** and tax-related search terms to push rogue **ConnectWise ScreenConnect** installers, creating a p...
Google Ads tax-search ScreenConnect malvertising campaign
CampaignAbout this happening: A **malvertising campaign** active since **January 2026** is using **Google Ads** and tax-related search terms to push rogue **ConnectWise ScreenConnect** installers, creating a p...
ConsentFix browser-native OAuth consent phishing campaign
Campaign
First: 14.01.2026 17:01
Last: 14.01.2026 17:01
Sources 1
About this happening:
The **ConsentFix** campaign is a **ClickFix**-style **OAuth consent phishing** operation that hijacks **Microsoft accounts** by abusing the **Azure CLI OAuth app**. In the reporte...
ConsentFix browser-native OAuth consent phishing campaign
CampaignAbout this happening: The **ConsentFix** campaign is a **ClickFix**-style **OAuth consent phishing** operation that hijacks **Microsoft accounts** by abusing the **Azure CLI OAuth app**. In the reporte...
ScreenConnect and NetSupport abuse for freight cargo hijacking
Malware Activity
First: 03.11.2025 18:46
Last: 03.11.2025 18:46
Sources 1
About this happening:
Malicious deployment of **ScreenConnect**, **NetSupport**, and related **RMM tools** is giving attackers remote control over **freight-broker** and **trucking carrier** systems, e...
ScreenConnect and NetSupport abuse for freight cargo hijacking
Malware ActivityAbout this happening: Malicious deployment of **ScreenConnect**, **NetSupport**, and related **RMM tools** is giving attackers remote control over **freight-broker** and **trucking carrier** systems, e...
Syncro MSP agent deploying ScreenConnect for remote access
Malware Activity
First: 15.10.2025 22:22
Last: 15.10.2025 22:22
Sources 1
About this happening:
The **Syncro** payload installs **ScreenConnect** through a hidden remote-management agent, giving operators **remote access** to infected endpoints and a path to **follow-on payl...
Syncro MSP agent deploying ScreenConnect for remote access
Malware ActivityAbout this happening: The **Syncro** payload installs **ScreenConnect** through a hidden remote-management agent, giving operators **remote access** to infected endpoints and a path to **follow-on payl...
Timeline
-
05.05.2026 17:00 1 articles · 22d ago
Venomous#Helper campaign uses SSA lure, gruta[.]com.mx redirect and wmic.exe.bak evasion
Technical Analysis UpdateSecuronix found the Venomous#Helper phishing campaign using emails impersonating the US Social Security Administration to send victims to gruta[.]com.mx, which served an SSA-branded harvesting page before redirecting to payload delivery from a separate compromised cPanel account. The campaign pairs a self-hosted SimpleHelp 5.0.1 instance with a ConnectWise ScreenConnect relay, and the downloaded JWrapper-packaged binary was signed by SimpleHelp Ltd with a valid Thawte certificate. In a one-hour observation, Securonix recorded 986 background process-creation events and WMIC execution through a renamed wmic.exe.bak copy to evade EDR rules.
Show sources
- Fake SSA Emails Drive Venomous#Helper Phishing Campaign — www.infosecurity-magazine.com — 05.05.2026 17:00
-
04.05.2026 21:06 1 articles · 23d ago
VENOMOUS#HELPER campaign uses SimpleHelp and ScreenConnect for persistent access
Initial DisclosureSecuronix described an active VENOMOUS#HELPER phishing campaign that has been observed since at least April 2025, has impacted over 80 organizations mostly in the U.S., and abuses legitimate RMM tools by deploying customized SimpleHelp and ConnectWise ScreenConnect to establish persistent dual-channel remote access on compromised hosts.
Show sources
- Phishing Campaign Hits 80+ Orgs Using SimpleHelp and ScreenConnect RMM Tools — thehackernews.com — 04.05.2026 21:06